[argus]how can i get all the tcp syn request

carter at qosient.com carter at qosient.com
Tue Sep 7 07:58:05 EDT 2010 

You should print the records to stdout and visually inspect what will go into the DB, so that you can understand how to query the data. The  "-Z" option will change the format of the "state" field to expose some of the state, and you can also print the stcpflags, and dtcpflags, if that is important.

You can find all the records you are looking for with rasql(), but the performance will not be optimal, as rasql() will be doing the fltering.

Carter 


Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: "shallwe19" <shallwe19 at gmail.com>
Date: Tue, 7 Sep 2010 18:10:22 
To: Carter Bullard<carter at qosient.com>; Paul Schmehl<pschmehl_lists at tx.rr.com>
Cc: argus-info<argus-info at lists.andrew.cmu.edu>
Subject: Re: Re: [ARGUS] [argus]how can i get all the tcp syn request

Thanks for your help ,but it seems the problem have not been solved.

All the data of argus is stored in  mysql database, I want to get all the syn packages from the mysql database .
I take a test, I did a syn scan at a host(192.168.11.25)  with NMAP  using -sS options in another host(192.168.19.14) .  At the same time, using  tcpdump in the target host ,I see all the package are syn package , but in the mysql db ,i see all the package are marked with RST. Is there any mistake of argus when it put the data to mysql.


There are the output of tcpdumo below.

01:14:32.215260 IP 192.168.19.14.54903 > 192.168.11.25.19101: S 878641122:878641122(0) win 4096 <mss 1460>
01:14:32.215261 IP 192.168.19.14.54903 > 192.168.11.25.427: S 878641122:878641122(0) win 3072 <mss 1460>
01:14:32.215307 IP 192.168.19.14.54903 > 192.168.11.25.10012: S 878641122:878641122(0) win 2048 <mss 1460>
01:14:32.215414 IP 192.168.19.14.54903 > 192.168.11.25.9009: S 878641122:878641122(0) win 4096 <mss 1460>
01:14:32.215460 IP 192.168.19.14.54903 > 192.168.11.25.19101: S 878641122:878641122(0) win 4096 <mss 1460>
01:14:32.215544 IP 192.168.19.14.54903 > 192.168.11.25.4445: S 878641122:878641122(0) win 2048 <mss 1460>
01:14:32.215607 IP 192.168.19.14.54903 > 192.168.11.25.3869: S 878641122:878641122(0) win 2048 <mss 1460>
01:14:32.215683 IP 192.168.19.14.54903 > 192.168.11.25.10012: S 878641122:878641122(0) win 2048 <mss 1460>
01:14:32.215746 IP 192.168.19.14.54903 > 192.168.11.25.4445: S 878641122:878641122(0) win 2048 <mss 1460>
01:14:32.215747 IP 192.168.19.14.54903 > 192.168.11.25.992: S 878641122:878641122(0) win 3072 <mss 1460>
01:14:32.215801 IP 192.168.19.14.54903 > 192.168.11.25.543: S 878641122:878641122(0) win 2048 <mss 1460>


There is the output image  from the mysql database below ,if you do not see the image ,you can see  it in the attachment.




Is there any way can I get all the syn package from the mysql db ?  Thank you all very much !

2010-09-07 



shallwe19 



发件人: Carter Bullard 
发送时间: 2010-09-04  04:29:06 
收件人: Paul Schmehl 
抄送: shallwe19; argus-info 
主题: Re: [ARGUS] [argus]how can i get all the tcp syn request 
 
Hey Guys,
To get just tcp flows that had the syn:
   ra -ZS xxx - syn
To get tcp flows that had the syn or the synack argus states:
   ra -ZS xxx - syn or synack
To get flows that had tcp flags ack and push:
   ra - ack and push
The "Z" flag by itself just modifies how the "state" field is printed.
Carter
On Sep 3, 2010, at 3:11 PM, Paul Schmehl wrote:
> --On Friday, September 03, 2010 14:44:37 +0800 shallwe19 <shallwe19 at gmail.com> wrote:
> 
>> 
>> sorry to interrupt you ,but will anybody tell me ,how can i get all the tcp
>> syn request .
>> it seems ,when i run " ra -ZS xxx",i got some udp request
>> 
>> anyone can help me ?
> 
> ra -Zs xxx"
> 
> -- 
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> "It is as useless to argue with those who have
> renounced the use of reason as to administer
> medication to the dead." Thomas Jefferson
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100907/5f34a480/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Catch16.jpg
Type: image/jpeg
Size: 464473 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100907/5f34a480/attachment.jpg>

More information about the argus mailing list